Milestone Customer Support
Article number:  000003402
Article type:  Cyber Security
Article audience:  Professional
Category type:  Configuration
Product:  XProtect Corporate, XProtect Professional
Type:  Software issue
Version:  1
First published:  09/13/2017
Last modified:  09/20/2017

ONVIF potential security vulnerability

A vulnerability has been discovered in a 3rd-party toolkit used by XProtect products.

The Genivia gSOAP Toolkit is used in XProtect Device Packs to facilitate ONVIF device support. In systems using versions 2.7 to 2.8.47 of the gSOAP Toolkit, it may be possible to inject code or trigger a malfunction by passing a specially crafted XML message over 2 GB in size.

XProtect systems using Device Pack versions 9.2 and earlier are affected.

The risk of exploitation will be significantly reduced when following the best practices described in the Milestone Systems XProtect VMS Hardening Guide.

The gSOAP Toolkit (2.8.48) used in the upcoming Device Pack 9.3 is not affected by this issue. For more information check the following resources: